Article Content

Article Number

000019480

Applies To

RSA ClearTrust PluginDNS

Issue

How to enable ClearTrust cookie with single entity domains (flat DNS)When using a single entity domain structure ( flat DNS) all host are attached to a single non-hierarchical domain name. Instead of host.rsa.com a flat DNS will use host.rsa only. In this situation a cookie created by our Plugin is rejected by the HTTP Client (browser).

Cause

The domain value is set in the Plugin's Default.conf file during installation. If this is set as 'rsa' the Plugin will create Client cookies with a domain value of .rsa. This is a non legal Cookie according to RFC 2109 ;

4.3.2 Rejecting Cookies To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true: * The value for the Path attribute is not a prefix of the request-URI. * The value for the Domain attribute contains no embedded dots or does not start with a dot. * The value for the request-host does not domain-match the Domain attribute. * The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots. Examples: * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com would be rejected, because H is y.x and contains a dot. * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted. * A Set-Cookie with Domain=.com or Domain=.com., will always be rejected, because there is no embedded dot. * A Set-Cookie with Domain=ajax.com will be rejected because the value for Domain does not begin with a dot.

-------------------------------------------------------- The diction used for point 2 above is not good. To translate, a Domain value must start with a dot and contain a dot. '.rsa' will fail this criteria.

Resolution

The domain value in the Plugin Default.conf can be removed. This will cause the Plugin to issue legal Cookies.